Privacy breaches by the national archive involve almost 7400 name entries and sensitive details of patients at the now-defunct Sunnyside psychiatric hospital.
The restricted information mistakenly made open access included names, ages, marital status and “the condition people were admitted for”.
The scale of the breaches has become clear after a public apology issued by Archives New Zealand.
“We sincerely apologise for this incident, which was a result of human error,” it said in a statement online.
The records included seven years of patients admitted after committing a criminal offence, their offence and what prior institutions they had been in, from 1966-73.
There were four years of records of admissions, voluntary boarders and those discharged from 1952-56. And lastly, a hospital diary for 1968 about various patients.
Some of the names appeared multiple times, so the 7397 name entries across the three volumes did not represent that many individuals, Archives NZ said.
The agency had not notified any of the individuals before now, three months after it was alerted to the breaches by a former staffer on 19 September.
“We have been working as fast as we can to address this”, chief archivist Anahera Morehu told RNZ on Monday.
A second member of the public, who remains unidentified, accessed the files twice – on 23 and 28 August.
“It has not been possible to determine whether images were downloaded or shared during the access events.”
But these breaches lasted less than five minutes each, and the former staffer who later saw the files “understood the sensitivity” so alerted Archives NZ directly.
“We have a high degree of confidence that the scope is limited,” Morehu said.
Privacy Commissioner Michael Webster said notifications should be “carefully handled and with pace”, but later said Archives NZ did the right thing telling him straight away, so he could be a sounding board as it worked on a response plan.
RNZ learned of the breach in a document released under the Official Information Act. Officials wanted news of it held back from the public for another month so it could put “supports” around the people identified.
“We have accelerated our response,” Morehu told RNZ late Monday. “This has unfortunately impacted the information we have available at this time.”
With so many name entries, it would take “a lengthy investigation” to determine the exact number of individuals.
“Likewise, due to the date ranges and number of name entries, it was not practicable to trace all the affected parties and inform them within a reasonable timeframe ,” she said.
“Through public notification, we hope to reach as many people as possible, as quickly as possible.”
Archives NZ had worked “at pace” and ensured it was thorough, alongside the Privacy Commissioner and Te Whatu Ora, which entrusted the information to Archives NZ, she added.
“Indexing of the records prior to notification of the breach has also occurred, to ensure anyone potentially affected can obtain information as to what was included, in a timely manner,” Morehu said in a lengthy statement.
The files are related to the hearings of the Royal Commission of Inquiry into Abuse in Care.
The breaches are on top of 10 months of shutdowns and security breaches of Archives NZ’s new Collections Search system that has exposed at least 8900 restricted files online, in open access, where the public could see them.
Archives for months told users the search system shutdowns were for essential maintenance.
Internal Affairs Minister Jan Tinetti last week said the Sunnyside breaches were an “operational matter”.
The Privacy Commissioner said responding to breaches was a balancing act, particularly when it involved people who may be at risk of being retraumatised.
“The office does want people notified as quickly as possible, but we want agencies to do their notifications with care and with people as their focus,” Webster said.
Archives NZ provided a phone number and email for anyone left anxious or worried, and suggested calling or texting 1737 “any time of the day or night to talk to a counsellor – all calls are free and confidential.
“You can also reach out to your GP or healthcare provider.”
Story Credit: rnz.co.nz